OpenVPN CA

Discussions for BiPAC 8900 series: 8900AX-1600, 8900AX-2400, 8900X
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

billion_fan wrote: Wed Feb 08, 2023 9:40 am
SPAU00 wrote: Wed Feb 08, 2023 12:49 am
billion_fan wrote: Fri Aug 20, 2021 10:48 am

Yes lets keep this post on topic, if anyone else has unrelated comments to this topic regarding this firmware release, please submit a new post :)
Latest release of OpenVpn now considers billion built in CA's which uses SHA1 algorithm too weak and should be updated to SHA2.

The latest release of OpenVpn will now not connect to Billion routers using the built in CA's which isn't optional.
Let me check with our engineers
Try changing the HMAC authentication as shown below

Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
You do not have the required permissions to view the files attached to this post.
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Wed Feb 08, 2023 10:43 am
billion_fan wrote: Wed Feb 08, 2023 9:40 am
SPAU00 wrote: Wed Feb 08, 2023 12:49 am

Latest release of OpenVpn now considers billion built in CA's which uses SHA1 algorithm too weak and should be updated to SHA2.

The latest release of OpenVpn will now not connect to Billion routers using the built in CA's which isn't optional.
Let me check with our engineers
Try changing the HMAC authentication as shown below

Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

SPAU00 wrote: Wed Feb 08, 2023 11:06 am
billion_fan wrote: Wed Feb 08, 2023 10:43 am
billion_fan wrote: Wed Feb 08, 2023 9:40 am

Let me check with our engineers
Try changing the HMAC authentication as shown below

Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Wed Feb 08, 2023 11:49 am
SPAU00 wrote: Wed Feb 08, 2023 11:06 am
billion_fan wrote: Wed Feb 08, 2023 10:43 am

Try changing the HMAC authentication as shown below

Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Thu Feb 09, 2023 9:19 am
SPAU00 wrote: Wed Feb 08, 2023 11:49 am
SPAU00 wrote: Wed Feb 08, 2023 11:06 am

The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Thu Feb 09, 2023 9:36 am
billion_fan wrote: Thu Feb 09, 2023 9:19 am
SPAU00 wrote: Wed Feb 08, 2023 11:49 am

What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).

This will generate a random CA using SHA2
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Thu Feb 09, 2023 12:57 pm
SPAU00 wrote: Thu Feb 09, 2023 9:36 am
billion_fan wrote: Thu Feb 09, 2023 9:19 am

Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).

This will generate a random CA using SHA2
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

SPAU00 wrote: Thu Feb 09, 2023 10:20 pm
billion_fan wrote: Thu Feb 09, 2023 12:57 pm
SPAU00 wrote: Thu Feb 09, 2023 9:36 am

Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).

This will generate a random CA using SHA2
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Fri Feb 10, 2023 2:54 pm
SPAU00 wrote: Thu Feb 09, 2023 10:20 pm
billion_fan wrote: Thu Feb 09, 2023 12:57 pm

No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).

This will generate a random CA using SHA2
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
Our engineer are asking how you verified the renewed cert does not have “extendedKeyUsage = critical, serverAuth”, so they can investigate
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Mon Feb 13, 2023 9:19 am
SPAU00 wrote: Fri Feb 10, 2023 2:54 pm
SPAU00 wrote: Thu Feb 09, 2023 10:20 pm

You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
Our engineer are asking how you verified the renewed cert does not have “extendedKeyUsage = critical, serverAuth”, so they can investigate
OpenVPN connection log gives the following warning which has prompted me to import cert and take a closer look. It's not generated with extendedKeyUsage (eku) which is bad... Renewed CA's are currently useless.
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
I'm guessing the default CA is pre-installed and the renewed are being generated by firmware?

CA must be generated with “extendedKeyUsage = critical, serverAuth” and as were using the same CA to export to clients, "“extendedKeyUsage = critical, clientAuth”.

Your OpenVPN client export file should contain the line "remote-cert-eku “TLS Web Server Authentication”" or "remote-cert-tls server"

Ask your guys to checkout the below link....
https://openvpn.net/community-resources ... ecting-to/
:)
Post Reply